Rep. Connolly: National data breach notification law could be coming

Share

Written by

A cybersecurity-focused lawmaker says Congress may have to consider national data-breach notification legislation if companies don’t do a better job of alerting people when they’ve suffered a breach.

Rep. Gerry Connolly, D-Va., said he hopes for a national standard to evolve among the private sector, but massive breaches like that at credit monitoring firm Equifax may force Congress’s hand.

Congress doesn’t “want to upset the technology community with obtrusive regulation,” but the private sector has been poor in instilling confidence that it will act in the public’s best interest, he said.

“I think its headed that way absent some fresh look by industry, a benchmark standard that everybody’s accepted voluntarily to meet, so that federal regulation is unnecessary,” Connolly told CyberScoop Thursday during Dell Technologies’ Digital Transformation Summit. ”I think Equifax is a great test of whether industry is capable of meeting that test.”

Equifax has come under great scrutiny for the way it handled a breach that affected 145.5 million people. The firm discovered the breach July 29, six weeks before revealing it to the public.

Currently, companies are held to a patchwork of state-level breach notification laws that differ depending on the location. Equifax, headquartered in Atlanta, was bound to Georgia law.

The state’s law stipulates that data breach notifications “shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.”